Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 1406d8b314a4
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 6f1165a0cbb5
Choose a head ref
2 contributors

Commits on Apr 17, 2020

  1. graphene-hardened-malloc: enable on aarch64-linux

    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    10dd3f3 View commit details

  2. linux: explicitly enable SYSVIPC 

    The linux-hardened patch set removes this default, probably because of
its original focus on Android kernel hardening.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    3d01e80 View commit details

  3. linux_*_hardened: use linux-hardened patch set 

    This is an updated version of the former upstream,
https://github.com/AndroidHardeningArchive/linux-hardened, and provides
a minimal set of additional hardening patches on top of upstream.

The patch already incorporates many of our hardened profile defaults,
and releases are timely (Linux 5.5.15 and 5.6.2 were released on
2020-04-02; linux-hardened patches for them came out on 2020-04-03 and
2020-04-04 respectively).
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    0d4f35e View commit details

  4. linux_*_hardened: don't set X86_X32 

    As far as I can tell, this has never defaulted to on upstream, and our
common kernel configuration doesn't turn it on, so the attack surface
reduction here is somewhat homeopathic.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    7d5352d View commit details

  5. linux_*_hardened: don't set VMAP_STACK 

    This has been on by default upstream for as long as it's been an option.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    3d4c8ae View commit details

  6. linux_*_hardened: don't set DEFAULT_MMAP_MIN_ADDR 

    Upstreamed in anthraxx/linux-hardened@f1fe0a6.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    8efe83c View commit details

  7. linux_*_hardened: don't set MODIFY_LDT_SYSCALL 

    Upstreamed in anthraxx/linux-hardened@0564487.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    8c68055 View commit details

  8. linux_*_hardened: don't set RANDOMIZE_{BASE,MEMORY} 

    These are on by default for x86 in upstream linux-5.6.2, and turned on
for arm64 by anthraxx/linux-hardened@90f9670.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    130f681 View commit details

  9. linux_*_hardened: don't set LEGACY_VSYSCALL_NONE 

    Upstreamed in anthraxx/linux-hardened@d300b0f.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    db6b327 View commit details

  10. linux_*_hardened: don't set BUG_ON_DATA_CORRUPTION 

    Upstreamed in anthraxx/linux-hardened@3fcd150.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    33b94e5 View commit details

  11. linux_*_hardened: don't set DEBUG_WX 

    Upstreamed in anthraxx/linux-hardened@55ee741.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    303bb60 View commit details

  12. linux_*_hardened: don't set {,IO_}STRICT_DEVMEM 

    STRICT_DEVMEM is on by default in upstream 5.6.2; IO_STRICT_DEVMEM is
turned on by anthraxx/linux-hardened@103d23c.

Note that anthraxx/linux-hardened@db1d27e
disables DEVMEM by default, so this is only relevant if that default is
overridden to turn it back on.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    0611462 View commit details

  13. linux_*_hardened: don't set DEBUG_LIST 

    Upstreamed in anthraxx/linux-hardened@6b20124.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    3eeb524 View commit details

  14. linux_*_hardened: don't set HARDENED_USERCOPY_FALLBACK 

    Upstreamed in anthraxx/linux-hardened@c1fe7a6,
anthraxx/linux-hardened@2c553a2.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    4fb796e View commit details

  15. linux_*_hardened: don't set SLAB_FREELIST_{RANDOM,HARDENED} 

    Upstreamed in anthraxx/linux-hardened@786126f,
anthraxx/linux-hardened@44822eb.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    0d5f169 View commit details

  16. linux_*_hardened: don't set PANIC_ON_OOPS 

    Upstreamed in anthraxx/linux-hardened@366e021.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    ed89b5b View commit details

  17. linux_*_hardened: don't set FORTIFY_SOURCE 

    Upstreamed in anthraxx/linux-hardened@d12c0d5.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    7fdfe53 View commit details

  18. nixos/hardened: don't set slab_nomerge 

    Upstreamed in anthraxx/linux-hardened@df29f92.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    3b32cd2 View commit details

  19. nixos/hardened: don't set vsyscall=none 

    Upstreamed in anthraxx/linux-hardened@d300b0f.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    cf1bce6 View commit details

  20. nixos/hardened: don't set kernel.dmesg_restrict 

    Upstreamed in anthraxx/linux-hardened@e3d3f13.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    9da578a View commit details

  21. nixos/hardened: don't set kernel.unprivileged_bpf_disabled 

    Upstreamed in anthraxx/linux-hardened@1a3e0c2.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    71bbd87 View commit details

  22. nixos/hardened: don't set net.core.bpf_jit_harden 

    Upstreamed in anthraxx/linux-hardened@82e3844.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    af4f57b View commit details

  23. nixos/hardened: don't set vm.mmap_rnd{,_compat}_bits 

    Upstreamed in anthraxx/linux-hardened@ae6d85f.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    46d12cc View commit details

  24. nixos/hardened: don't set vm.mmap_min_addr 

    Upstreamed in anthraxx/linux-hardened@f1fe0a6.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    cc28d51 View commit details

  25. nixos/hardened: don't set vm.unprivileged_userfaultfd 

    Upstreamed in anthraxx/linux-hardened@a712392.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    84f258b View commit details

  26. nixos/hardened: enable user namespaces for root 

    linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see
anthraxx/linux-hardened@104f440.

This allows the Nix sandbox to function while reducing the attack
surface posed by user namespaces, which allow unprivileged code to
exercise lots of root-only code paths and have lead to privilege
escalation vulnerabilities in the past.

We can safely leave user namespaces on for privileged users, as root
already has root privileges, but if you're not running builds on your
machine and really want to minimize the kernel attack surface then you
can set security.allowUserNamespaces to false.

Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or
setuid, and Firefox's silently reduces the security level if it isn't
allowed (see about:support), so desktop users may want to set:

    boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    ad9bfe2 View commit details

  27. nixos/hardened: add emily to maintainers

    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    b0d5032 View commit details

  28. nixos/tests/hardened: add latestKernel argument

    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    fe031d0 View commit details

  29. nixos/release-{small,combined}: add latestKernel.login 

    Seems like a good idea to ensure that you can always use the latest
stable upstream kernel.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    e133e39 View commit details

  30. nixos/release-combined: add {,latestKernel.}hardened 

    These now depend on an external patch set; add them to the release tests
to ensure that the build doesn't break silently as new kernel updates
are merged.
    @emilazy
    emilazy committed Apr 17, 2020
    Copy the full SHA
    2e31fb4 View commit details

Commits on Apr 19, 2020

  1. Merge pull request #84522 from emilazy/add-linux-hardened-patches 

    linux_*_hardened: use linux-hardened patch set
    @lukateras
    lukateras authored Apr 19, 2020
    Copy the full SHA
    6f1165a View commit details
39 changes: 1 addition & 38 deletions nixos/modules/profiles/hardened.nix
View file
Original file line number Diff line number Diff line change
@@ -7,7 +7,7 @@ with lib;

{
meta = {
maintainers = [ maintainers.joachifm ];
maintainers = [ maintainers.joachifm maintainers.emily ];
};

boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
@@ -21,8 +21,6 @@ with lib;

security.lockKernelModules = mkDefault true;

security.allowUserNamespaces = mkDefault false;

security.protectKernelImage = mkDefault true;

security.allowSimultaneousMultithreading = mkDefault false;
@@ -37,15 +35,9 @@ with lib;
# Slab/slub sanity checks, redzoning, and poisoning
"slub_debug=FZP"

# Disable slab merging to make certain heap overflow attacks harder
"slab_nomerge"

# Overwrite free'd memory
"page_poison=1"

# Disable legacy virtual syscalls
"vsyscall=none"

# Enable page allocator randomization
"page_alloc.shuffle=1"
];
@@ -82,38 +74,12 @@ with lib;
# (e.g., parent/child)
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;

# Restrict access to kernel ring buffer (information leaks)
boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;

# Hide kptrs even for processes with CAP_SYSLOG
boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;

# Unprivileged access to bpf() has been used for privilege escalation in
# the past
boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;

# Disable bpf() JIT (to eliminate spray attacks)
boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;

# ... or at least apply some hardening to it
boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;

# Raise ASLR entropy for 64bit & 32bit, respectively.
#
# Note: mmap_rnd_compat_bits may not exist on 64bit.
boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;
boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;

# Allowing users to mmap() memory starting at virtual address 0 can turn a
# NULL dereference bug in the kernel into code execution with elevated
# privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory
# space. This breaks applications that require mapping the 0 page, such as
# dosemu or running 16bit applications under wine. It also breaks older
# versions of qemu.
#
# The value is taken from the KSPP recommendations (Debian uses 4096).
boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;

# Disable ftrace debugging
boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;

@@ -140,7 +106,4 @@ with lib;
# Ignore outgoing ICMP redirects (this is ipv4 only)
boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;

# Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability
boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false;
}
3 changes: 3 additions & 0 deletions nixos/release-combined.nix
View file
Original file line number Diff line number Diff line change
@@ -75,6 +75,7 @@ in rec {
(onFullSupported "nixos.tests.fontconfig-default-fonts")
(onFullSupported "nixos.tests.gnome3")
(onFullSupported "nixos.tests.gnome3-xorg")
(onFullSupported "nixos.tests.hardened")
(onSystems ["x86_64-linux"] "nixos.tests.hibernate")
(onFullSupported "nixos.tests.i3wm")
(onSystems ["x86_64-linux"] "nixos.tests.installer.btrfsSimple")
@@ -96,6 +97,8 @@ in rec {
(onFullSupported "nixos.tests.keymap.dvp")
(onFullSupported "nixos.tests.keymap.neo")
(onFullSupported "nixos.tests.keymap.qwertz")
(onFullSupported "nixos.tests.latestKernel.hardened")
(onFullSupported "nixos.tests.latestKernel.login")
(onFullSupported "nixos.tests.lightdm")
(onFullSupported "nixos.tests.login")
(onFullSupported "nixos.tests.misc")
1 change: 1 addition & 0 deletions nixos/release-small.nix
View file
Original file line number Diff line number Diff line change
@@ -101,6 +101,7 @@ in rec {
"nixos.tests.installer.separateBoot.x86_64-linux"
"nixos.tests.installer.simple.x86_64-linux"
"nixos.tests.ipv6.x86_64-linux"
"nixos.tests.latestKernel.login.x86_64-linux"
"nixos.tests.login.x86_64-linux"
"nixos.tests.misc.x86_64-linux"
"nixos.tests.nat.firewall-conntrack.x86_64-linux"
1 change: 1 addition & 0 deletions nixos/tests/all-tests.nix
View file
Original file line number Diff line number Diff line change
@@ -160,6 +160,7 @@ in
# kubernetes.e2e should eventually replace kubernetes.rbac when it works
#kubernetes.e2e = handleTestOn ["x86_64-linux"] ./kubernetes/e2e.nix {};
kubernetes.rbac = handleTestOn ["x86_64-linux"] ./kubernetes/rbac.nix {};
latestKernel.hardened = handleTest ./hardened.nix { latestKernel = true; };
latestKernel.login = handleTest ./login.nix { latestKernel = true; };
ldap = handleTest ./ldap.nix {};
leaps = handleTest ./leaps.nix {};
11 changes: 8 additions & 3 deletions nixos/tests/hardened.nix
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import ./make-test.nix ({ pkgs, ...} : {
import ./make-test.nix ({ pkgs, latestKernel ? false, ... } : {
name = "hardened";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ joachifm ];
@@ -10,6 +10,8 @@ import ./make-test.nix ({ pkgs, ...} : {
{ users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; };
users.users.sybil = { isNormalUser = true; group = "wheel"; };
imports = [ ../modules/profiles/hardened.nix ];
boot.kernelPackages =
lib.mkIf latestKernel pkgs.linuxPackages_latest_hardened;
environment.memoryAllocator.provider = "graphene-hardened";
nix.useSandbox = false;
virtualisation.emptyDiskImages = [ 4096 ];
@@ -23,7 +25,9 @@ import ./make-test.nix ({ pkgs, ...} : {
options = [ "noauto" ];
};
};
boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
boot.extraModulePackages =
optional (versionOlder config.boot.kernelPackages.kernel.version "5.6")
config.boot.kernelPackages.wireguard;
boot.kernelModules = [ "wireguard" ];
};

@@ -76,7 +80,8 @@ import ./make-test.nix ({ pkgs, ...} : {
# Test userns
subtest "userns", sub {
$machine->fail("unshare --user");
$machine->succeed("unshare --user true");
$machine->fail("su -l alice -c 'unshare --user true'");
};
# Test dmesg restriction
2 changes: 1 addition & 1 deletion pkgs/development/libraries/graphene-hardened-malloc/default.nix
View file
Original file line number Diff line number Diff line change
@@ -52,6 +52,6 @@ stdenv.mkDerivation rec {
'';
license = licenses.mit;
maintainers = with maintainers; [ ris ];
platforms = [ "x86_64-linux" ];
platforms = [ "x86_64-linux" "aarch64-linux" ];
};
}
Loading